Mac Trojan “In Wild” On Porno Site — Apocalypse Pending

Leander Kahney ()

osx_jahlav

Screenshot from Sophos' webpage detailing the OSX/Jahlav-C Trojan.

A new Mac Trojan has been spotted “in the wild” on a porno website, prompting a wave of misleading and inaccurate Mac malware stories.

A Trojan named OSX/Jahlav-C has been spotted on a porno website (xhottube.net), the British security group Sophos said on Friday.

In a blog post about the virus, Sophos also mentioned an update to an email worm called OSX/Tored-A, which has prompted news organizations to warn of renewed malware attacks against Macs.

But only the OSX/Jahlav-C is in the wild, and even Sophos described the OSX/Tored-A as “lame.”

The new OSX/Jahlav-C Trojan infects Macs when visitors to the “hardcore” porno website try to watch the site’s main video. They are prompted to download a “missing Video ActiveX Object” but are infected with the OSX/Jahlav-C Trojan instead, says Sophos.

The social engineering here isn’t very sophisticated — ActiveX is associated with Windows. In addition, it’s unclear what the OSX/Jahlav-C Trojan actually does. Sophos says “it will eventually run a Perl script that uses http to communicate with a remote website and download code supplied by the attacker.”

What that code does, Sophos doesn’t say. Apparently, it hasn’t executed the Perl script yet. Sophos rates the Trojan as low to medium risk.

“Although there is only a tiny amount of Mac malware compared to Windows viruses, that’s going to be little consolation if your gorgeous new MacBook gets infected,” said a sarcastic post on the company blog. “And sadly we know that many Mac users still believe they are somehow magically immune from attacks.”

The company made a condescending video demonstrating the attack (posted after the jump) — “Is it safe to surf for porn on an Apple Mac?”

UPDATE: ParetoLogic, a Canadian anti-virus company, is also warning about OSX/Jahlav-C. The Trojan is associated with PornTube, says MacNN.

DON'T MISS
Guy Kawasaki’s Twitter Feed Used to Spread Porno Trojan

UPDATE 2: Reader Scam Finder says the Trojan doesn’t exist on the xhottube site. Scam Finder tried to purposely infect his Mac but failed. See the comment below.

Is it safe to surf for porn on an Apple Mac? from Sophos Labs on Vimeo.

14 comments »

About the author

Leander Kahney

is the editor and publisher of Cult of Mac, and author of three books about technology culture: Inside Steve’s Brain, the New York Times bestseller about Steve Jobs; Cult of Mac; and Cult of iPod. Leander has written for Wired, MacWeek, Scientific American, and The Guardian in London. Follow Leander on Twitter @lkahney and Facebook.

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in Apple, News, Software, Web |

  • Cameron

    Trojan Horse. Still requires user to do something.

    In any case I think it’s a bit silly since it comes up with something about “ActiveX” and Macs can’t even USE ActiveX.

  • SCAM FINDER

    The problem is that the trojan does not exist. This is the second mac malware that sophos has made up. As i was curious, cause Im wipeing leopard tomorrow anyways I went to the website it is (xhottube.net), and looked if the behavior is happened. I followed the steps to the word, and this is what happen
    1. “you need to install a codec to watch this movie”
    2. click ok
    3. page changes
    4. Safari alerts page contains malware.
    5. pressed continue.
    6. error 403 forbidden.

    Their previous one was supposedly hosted on (http://www.hdtvxvid.org/index-1.html)

  • solar

    A Trojan on a porn website. I did hear the industry was aiming for a higher level of safety for it’s actors. What no screen shots?

  • http://islandinthenet.com Khürt Williams

    Hmm…I’ll probably get bashed by other secuity pros for saying this but … I do not consider it a security issue when a user knowingly downloads and executes something on their computer. Same reason I don’t consider it a security issue when someone gives out their credit card number to somone calling from the “credit card” company.

  • Alphaman

    Oh no!!! A piece of malware for the Mac! Run for the hills! Hide your babies and women folk!!! Duck and cover! Oh, the humanity!!!!!!

    Yawn.

    10^2 pieces of malware for the Mac. 10^6 for Windows. That’s 4 orders of magnitude difference. That’s not “a tiny amount of Mac malware compared to Windows”, that’s “a tiny, tiny, tiny, tiny! amount of Mac malware compared to Windows”.

    One new piece in the wild in what, 3 months? That’s like a 1% increase in the volume of malware for the Mac. If Windows had an article written for every piece of malware that infects it, there’d be over 20,000 articles written every day! (ref: F-Secure quotes 25K+ per day) The publishing industry would buckle under the strain of keeping up!

    Compared to 1 per quarter.

    The Mac gets dumped on disproportionately because it’s News! when a Mac-specific piece of malware comes out (and the AV Co’s. want to sell something for the Mac). (Did anyone take note of the fact that the same site that hosted this Mac malware also hosted a Windows version? Hmm? Nope, didn’t think so…) BTW, the site that hosted the Mac threat, xhottube.net, no longer delivers it. So it’s no longer a threat.

    Yawn.

  • EJ

    I think that new Apple users might not be aware that Active-X was a PC thing, although it’s certainly a red flag for me.

    As for the “Is it safe to surf for porn on a Mac?” headline… about as safe as it is to surf for just about anything on any computer — there will always be those who take advantage of the unwary to try to install malware, and there really just isn’t a foolproof way to combat it. (My solution is never to download software updates from prompts on any untrusted site — which should include any site that allows the public to provide their own content — and always get them from the manufacturer instead, but most users wouldn’t know how to do that or wouldn’t have the patience to do so.)

  • Lucas

    what is amusing is that all the mentions of malware for the Mac recently have been tied to select groups — porn site surfers, software by torrent thieves etc.

    where are the huge universal mega killer ones. Dang it. I want my Conflicker and I want it now. I mean it’s not really THAT hard to program a unix malware. It’s not brain surgeon.

  • Macfan1

    I was actually able to download this file and did not get the 403 error. I was using firefox. No warning of Malware. The installer was there on my desktop and ready to go. Still curious as to what this thing does but into the trash it goes. I do find it odd that the example site on Sophos is the actual site in question.

    So this was nothing more than a scare tactic by Sophos to sell more software? Shame on them.

  • http://razmaspaz.com razmaspaz

    If I’m running as a standard user, can a download put itself somewhere where it can get permissions to execute, chmod a file, and run in the background all without user involvement?

  • Lucas

    to raz:
    it is my understanding of the way that Unix does things, no. any malware worth its salt is going to want to install into the system files and only an admin can do that. so you would be prompted for the admin username and password. even if you were logged in as an admin it will still ask for the password.

  • Jade

    This virus DOES exist. i went to that site, and it asked me to download that ActiveX Object, and stupidly i did but tried exiting while it was “downloading”. My Norton was detecting a risk, and all of a sudden all these windows popped up with corrupted files, and my entire Windows program is corrupt and my computer is done. I need it to be completely re installed with windows (at the very least). This virus does exist, it happened to me the night before last, and there was no way of removing it. It corrupts every file in windows.

  • Jade

    Oh, and I don’t have a macbook, I just have an HP computer and now it’s totalled.

  • http://paydaylo.piczo.com/ Wainaattins

    Thank you looking for details. It helped me in my responsibility

  • Jack

    I’ve been there, done that.  Nothing has happened that I can tell….  No speed difference or any other running object I can find.  I hit a lot of these ‘forbidden’ sites, even my ISP blocked one and I told them they have no right to stop me.  Ok so you’ve warned me now let me pass.  They changed their code.  But now it’s like I’m running under them, they are always the first site in the path, so I don’t know what they’re doing.  What’s worse it seems they never check or recheck to see if it has been removed, so I guess tagged once tagged for life!  I have gotten a screen that claims it’s from Apple and gives me a big list of “Maleware” and “Trojans”, but they don’t appear to be on my machine!  I have noticed that even Google has a warning page.  It seems that they would just query you machine type and blow it off if you are on a mainframe or something…  Hell what can happen, just scratch the disk and start over again..  I’ve got good backups of things I want, so I don’t think I’m very scared….yet….hooooo….